Network Settings

Information about configuring network settings

Network layout

We have three types of networks in OpenStack:

  1. Internal networks
  2. Internal networks with internet connectivity (coming soon)
  3. Public networks

Internal networks

Virtual machines in internal networks have IP addresses that are not routed outside of the university network. Thus, incoming and outgoing connections can only be made from/to IP addresses within the university network. For connections to hosts on the internet, for example for software updates, a proxy server must to be configured.

Internal networks with internet connectivity

Virtual machines in this category network have public IPv6 addresses and private IPv4 addresses. SNAT on outgoing connections is performed at the outer limit of the university network. Without any additional firewall configuration, incoming connections are only possible from within the university network. However, outgoing connections to the internet are possible without further configuration.

Public networks

Virtual machines in public networks hav public IP addresses. Incoming and outgoing connections are possible without further configuration. However, incoming connections from the internet need an exception in the university firewall, which can be requested via e-mail to noc@uni-muenster.de, once there is a NIC entry for the virtual machine.

NIC Database Entry

Registering in the database of the NIC is currently needed for requesting certificates and having a DNS entry. We are currently automating this process, but for the time being you have to contact your IVV to create such a NIC database entry. The IVV is responsible for the network, you are creating virtual machines in. You may need to give the IVV access to the OpenStack project, so they can verify, that you are indeed the owner of the respective IP addresses.

Security Groups

Security groups are firewall settings on port level. This means that OpenStack is acting as an external firewall to your virtual machines, but not on the virtual routers, but directly on the network port, which is attached to the virtual machine. This allows for fine-grained firewall settings even in networks/subnets used by many projects. Security groups allow L4 rules on protocol, IP address and port combinations for incoming and outgoing connections. Instead of selecting IP addresses, you can also select foreign security groups, which refer to all virtual machines, which have this foreign security group applied. For example you can have “frontend” and “backend” security groups and only allow VMs with the “frontend” security group to access VMs in the “backend” security group.

Virtual Networks

In some use-cases, it is necessary to create a private network with an SNAT router in front. Such layout requires to have a virtual machine, called bastion host, in the network with an additional floating IP, so the other virtual machines in the network may be connected to. In such cases, connect the primary interface of the virtual machine to one of the normal networks and a secondary interface to the private network.